What Ransomware Actually Costs

This is a portfolio sample for the Written Content offering. The source material was a set of written notes from an IT managed services consultant — the equivalent of what a retainer client would supply in place of a recorded briefing. The subject is ransomware risk for small businesses. I had no prior background in cybersecurity. The article was produced from those notes alone, with no external research, and is formatted for publication on LinkedIn under the client’s byline.

Small business owners consistently underestimate their exposure to cyberattacks. Dentists, restaurant owners, car dealerships — I work with the full range. What they tend to share is the belief that they are too small to be worth targeting. They are wrong.

The threat has changed significantly in the last several years. Ransomware used to be indiscriminate — mass phishing emails sent out by the thousands, hoping someone clicked. Now it operates more like a criminal industry. There are networks that provide attack tools, identify vulnerable targets, and handle payment collection. An attacker does not need technical skill to commission a strike on a specific business. They rent the capability, and most of these networks operate overseas, outside the reach of domestic law enforcement.

The attack itself is usually invisible until it isn’t. Software gets inside the network quietly, maps the environment, disables the backups when it can find them, and then activates — encrypting everything at once. It is like arriving at work to find that every lock in the building has been changed overnight, and then receiving a call from someone selling you the key. By the time you know it has happened, the window to stop it has already closed.

The three failure modes I see most often

The single most common entry point is a compromised credential — a username and password obtained through a phishing email or a brute-force attempt on a weak account. In every breach investigation I have conducted over the last three years, this was how the attacker got in initially. Multi-factor authentication closes this gap almost entirely. It costs nothing to enable on Microsoft 365 or Google Workspace, and businesses that don’t have it are running an unlocked front door.

The second failure is backups that have never been tested. Last year, a client — an auto dealership with about twenty-five employees — was hit on a Tuesday morning. Computers down, operations stopped, no deals running. When we went to restore from backup, we found the backup job had been failing silently for four months. The last clean copy was from February. They paid $47,000 in ransom, plus three days of lost operations. A tested, offsite backup service would have cost them around $200 per month. Immutable backups — written once and impossible to overwrite or encrypt — are the specific solution. If an attacker can reach your backups, they will target them first.

The third failure is having no plan for when it happens. When an attack activates, the instinct is to panic — unplugging machines, calling whoever might know someone. By the time a qualified response team arrives, the malware has often been inside the environment for days, establishing persistence. The effective window is the first two to four hours. A single one-hour conversation with your team — who calls whom, who holds the backup credentials, how you continue partial operations — closes most of that gap.

What actually works

Antivirus checks files against a list of known threats. It catches what it recognizes and misses everything new. Endpoint detection and response — EDR — watches behavior instead: monitoring what programs are running, what connections are being made, what is accessing what. When something anomalous occurs, the system isolates the affected machine before the damage spreads. Antivirus is the lock on the front door. EDR is the security camera and alarm that catches the attempt before it becomes a breach. It is the current standard for any business that takes continuity seriously.

The average cost to recover from a ransomware attack — including downtime, remediation, and reputational damage — now exceeds $250,000. A managed EDR solution runs $800 to $1,500 per month. The math is not complicated.

None of this requires technical sophistication to implement. It requires a decision that the risk is real. For most small businesses, that decision is the only thing standing between normal operations and a very expensive Tuesday morning.